Loading
Sales Productivity
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Create a DKIM Key

            You are here:

            1. Salesforce Help
            2. Docs
            3. Seller Productivity

            Create a DKIM Key

            DomainKeys Identified Mail (DKIM) is a security standard that attaches a digital signature to your emails to prove that they came from you. With this signature, the receiving server can verify that the message content wasn’t altered or faked during transit. DKIM builds trust with email providers, so your messages are more likely to land in the inbox instead of the spam folder. An active DKIM key verifies your domain ownership so that Salesforce can send email for your users.

            Required Editions

            Available in: Salesforce Classic and Lightning Experience
            Available in: all editions except Database.com
            User Permissions Needed
            Manage DKIM keys: Customize Application

            When you sign your emails digitally with a DomainKeys Identified Mail (DKIM), the key proves that the message came from your domain. For more information, see Considerations for DKIM Keys.

            Important
            Important Before Salesforce can send email on behalf of your users, domain-level and user-level verification is required. An active DKIM key fulfills the requirement for domain-level verification only when the domain name of the DKIM key matches the entire domain shown in the 'From' address. To send and sign email from Salesforce, create a separate DKIM key for each domain and subdomain. See Requirements to Send Email from Salesforce.

            Add a DKIM Key in Setup

            1. From Setup, in the Quick Find box, enter DKIM Keys, and then select DKIM Keys.
            2. Click Create New Key.
              The new DKIM key pair defaults to the Inactive state.
            3. Select the RSA key size.

              Select 2048-bit unless a specific application requires smaller keys.

            4. For Selector, enter a unique string of up to 62 letters, digits, and hyphens to identify this key. Start with a letter or number. For example, example-sf-a.
            5. For Alternate Selector, enter another unique string of up to 62 letters, digits, and hyphens. Start with a letter or number. For example, example-sf-b.

              Salesforce uses the alternate selector to auto-rotate your keys. See Considerations for DKIM Keys.

            6. Enter the domain name used to send email from Salesforce.
              After you save a DKIM key, you can’t edit the domain name.
            7. For domain match pattern, enter a comma-separated list of domain patterns that the domain name must match before Salesforce signs an email with this DKIM key.
              Here are two examples of a recommended domain match pattern value.
              • Domain: example.com and Domain Match Pattern: example.com
              • Domain: mail.example.com and Domain Match Pattern: mail.example.com
              Important
              Important

              To send and sign emails for a subdomain that you own, such as mail.example.com, create a separate DKIM key for each subdomain.

              Don’t use wildcards in the domain match pattern list for DKIM keys for domains that you own. Although wildcards are permitted in this field, we no longer recommend that option.

            8. Save your changes.

              Salesforce publishes two DKIM public keys to DNS TXT (text) records for a Salesforce-owned domain: a primary and alternate key. The alternate key is used during key rotation.

              Salesforce also generates corresponding canonical domain name (CNAME) records for your domain, which become the second half of the DKIM key pair. This process usually finishes within 15 minutes.

            Update DNS

            Add the CNAME and Alternate CNAME records to your domain’s DNS record.

            1. From Setup, in the Quick Find box, enter DKIM Keys, and then select DKIM Keys.
            2. To view the key details, click the selector of the key.
              DKIM key details

              When Salesforce has finished publishing the TXT records for the private key, the CNAME Record and Alternate CNAME Record fields are shown.

              If the TXT Record Status is “Publishing in progress”, wait a few minutes and try again. Refresh the page in your browser, or reload the DKIM key list in Setup and click the selector again.

            3. Add the CNAME and Alternate CNAME records to DNS for your domain.
              Note
              Note

              Work with your DNS provider to complete this step.

              If you enter this information via your DNS provider’s website, check their documentation for their expected formats. Some DNS providers require the domain name when you enter the name value, and some omit it. In our example, the .example.com string is the domain name.

              Here’s an example of DNS CNAME records for a DKIM Key with a domain of example.com and selectors example-sf-a and example-sf-b.

              NAME                  TTL   CLASS  TYPE    VALUE
--------------------------------------------------
example-sf-a._domainkey.example.com. 3600	IN CNAME example-sf-a.k4tyd2.custdkim.salesforce.com.
example-sf-b._domainkey.example.com. 3600	IN CNAME example-sf-b.e6mxu6.custdkim.salesforce.com

            Activate Your DKIM Key

            When DNS propagation is complete, your CNAME and Alternate CNAME records appear on the DKIM Key Details page.

            Note
            Note DNS changes can take up to 72 hours to propagate.
            1. From Setup, in the Quick Find box, enter DKIM Keys, and then select DKIM Keys.
            2. Click Edit for the key.

              You can’t activate your DKIM key until your CNAME records are published to your domain’s DNS record. When DNS propagation is complete, the Activate option appears on the DKIM Details page.

              To refresh the DKIM Key Details page, reload the page in your browser or reload the DKIM key list in Setup and click the selector again.

            3. Click Activate.

            For security, Salesforce rotates your DKIM keys every 30 days. When you activate your DKIM key, Salesforce creates a secondary, inactive DKIM key for the next rotation. The second CNAME record points to that key.

            After you activate the DKIM key in Setup, no further action is required for key rotation. See Considerations for DKIM Keys.

            This video discusses the three main components of email trust and antispoofing: DKIM, SPF (sender policy framework) and DMARC (domain-based message authentication, reporting and conformance). It demonstrates setting up a DKIM key.

            Or launch this video.

            See Also

             
            Loading
            Salesforce Help | Article